I'm a longtime IIS user, but new to IIS7. I have a need in our org to route users on our multi-domain intranet, based on their domain. I'm looking at IIS because of integrated windows auth (otherwise I'd go with HAProxy on a linux box).

Our users would be surfing to server "FOO", which would really be a proxy. The proxy would look at their domain (DOMAIN\username), and if they are in domain "A", the proxy would route their requests to FOO_A. If they are in domain "B", then they get routed to FOO_B.

I see that IIS has their version of a proxy, "Application Request Routing". The examples I saw were for more of a web farm scenario, rather than what I'd call an intelligent proxy.

For those of you more seasoned with IIS7, is what I want to do possible? Can I proxy inbound requests based on the requestor's authenticated (via IWA) domain membership?

1 Answer
1

I'm not sure if this is exactly what you are looking for, but Microsoft's URL Rewriter for IIS allows you to set up inbound rewrite/redirect rules based on server variables, like AUTH_USER which would contain the domain.

I so wish URL Rewriter worked, but after hours of pounding sand, I found this: forums.iis.net/p/1155169/1978602.aspx#1978602 Turns out that since URL Rewriter runs prior to any authentication, AUTH_USER (or REMOTE_USER) never get populated, so they always end up null, and thus no domain-based redirection. Argh!
–
Alan MApr 12 '11 at 21:08

Well, it isn't high-tech or elegant, but you could always have the server FOO have a single page at the root that has a small amount of code that looks at the user's domain and redirects them to FOO_A or FOO_B. It would probably take all of 2 or 3 lines of code.
–
Dave WiseApr 12 '11 at 21:17

Problem, there is nothing keeping curious/sneaky user from going to FOO_A or FOO_B, as our FOOs are appliances which themselves don't have any sort of useful access control mechanism. And in the end, that's what we had to do, go with front-end app doing an HTTP redirect to one FOO or another. Argh.
–
Alan MApr 14 '11 at 15:03

Last night, I had the thought that perhaps your F5 / Corporate Proxy / Firewall could create a rule for this. I don't work with those devices often but am almost sure they can create domain-specific routing rules.
–
Dave WiseApr 14 '11 at 15:13